7/19/2017

Dow Jones & Company which is an American news and financial information firm accidentally exposed the data of its millions of customers. An Amazon Web Services (AWS) S3 bucket researchers found the data online which had not been correctly organized.

On May 30, discovered by Chris Vickery of cyber resilience firm UpGuard, it is found that an AWS data repository named “dj-skynet” contains the information of millions of Dow Jones customers. it was on June 6 that the access to files was disabled by Dow Jones.

The files include the information of customers such as their names, addresses, IDs, subscription details, phone numbers, credit card information. Those who have subscribed the "The Wall Street Journal and Barron's of Dow Jones publication, their files also contain their phone numbers.

It is reported that Dow Jones Risk and Compliance which is a risk management and regulatory compliance service for financial institutions, its 1.6 million entries are exposed by those files.

It was stated by UpGuard, that Dow Jones had organized the repository' permissions that allow the access to anyone to those who have AWS account. More than 1 million Amazon cloud users are there and anyone can join or signup an account for free.

UpGuard claims that around 4.4 millions of data of customers leaked but according to Dow Jones, there were only 2.2 million customers who were affected. This was dues to some duplicate entries, stated by a security firm.

It is still not known whether the affected customers get any notice or not, but in a statement to The Wall Street Journal, the incident was downplayed by the company stated that no evidence has found that shows that the data was taken by anyone and the information which was exposed does not the cause any risk to the users.

However, this statement is disagreed by the UpGuard. It stated that the data could be misused by hackers for social engineering schemes and phishing.

In recent weeks, it was reported by the security firm that the leaked data belongs to the U.S. National Geospatial-Intelligence Agency (NGA), American voters, and Verizon customers. It was due to vulnerable nature of Amazon S3 buckets that were involved in all incidents.

A statement said to SecurityWeek by Bitglass CEO Rich Campagna:
“Yet another demonstration of how services such as AWS are missing basic steps that ensure their data and services are configured in a secure fashion,”

Campagna said that it seems that there is no intelligent mind that could implement the data-centric security tools even on the simple information that could expose to the public. This step will help to ensure that unauthorized access could be denied by cloud services and organizations take all necessary steps to keep their encrypted data secure. Dow Jones, Verizon or any other companies that use the public cloud for their infrastructure can define the policies that let the employees, teams and third parties secure the data of customers effectively that is stored in the cloud.